avast4.7 caught snapsnet[1] Now what?

Hi,
This is a two part question:
Avast4.7 popped up with a message stating that my PC has the worm snapsnet[1]
I chose the Remove option, and Avast is unable to do this, saying that the file is in use.
I went to the temp internet directory where the executable is to delete it manually and still get the same message.
I have not yet closed the avast alert window and am not sure if I should reboot.

What do I do now???

Also, while this was going on, AntispyWareMaster popped up and looked like it was doing a scan of my system. It found 39 very nasty sounding viruses. That program locked before I clicked anythin on it (yeay!) and I closed it with task manager. I found at wiki-security that AntiSpywareMaster is a virus itself ! and showed up as a new installed program on my start menu.

How do I get rid of this one?

Is it safe to reboot and let Avast run again? I’ve unplugged the PC from my network
FYI, I am running XP with the latest service pack/patches and the user that this all happened on has only superuser privileges (not admin)

Thanks.
sweating bullets here :frowning:

I suggest:

  1. Disable System Restore and reenable it after step 3.
  2. Clean your temporary files.
  3. Schedule a boot time scanning with avast with archive scanning turned on.
  4. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
  5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
  7. Immunize your system with SpywareBlaster or Windows Advanced Care.
  8. Check if you have insecure applications with Secunia Software Inspector.

RogueRemover is a utility that can remove various rogue antispyware, antivirus and hard drive cleaning utilities. Rogue applications are applications that rather than remove spyware, provide false positives, distribute malware or spyware, advertise, or provide useless uninstallers. The main point is that rogue applications are useless and eat up system resources.

Check http://www.malwarebytes.org/rogueremover.php

Thank you for the detailed directions. I have system restore disabled permanently on my PC, I will do as you suggest and post the results here.

I started by deleting all IE temporary files which worked with the exception of the snapsnet[1].exe file which is still there and the following files in other folders:
install_en[1].exe
3[1].htm
const[1].htm
cannot manually delete any of these and get the “program is in use” error.

I have Avast Home Edition 4.8
In the Avast warning window that has popped up, clicking “delete” or “move to chest” have no effect. The warning window comes back up again.
When I choose schedule a boot time scan, I get an access denied error.
What do I do? click “no action”? That sounds scary!!!

sorry to be stupid about this.

So all those 39 nasty sounding viruses that AntiSpyWareMaster listed are not really there, and AntiSpyWareMaster isn’t so malicious and just takes room?
If that’s the case, that’s a relief. Some of the crap it was listing was keyloggers and backdoor utilities etc…
Why should I not just run rougeremover first and get that thing off of my PC? I tried looking in Te add/remove programs in control panel, but of course it is not listed there.
Thanks again.

All of them are suspect.

When? When you run boot time scanning or before, when you’re trying to schedule it.

AntiSpyWareMaster is a rogue program. Get rid of it asap.

Adware boot time scheduling gives me the access denied error when I try to schedule it.
I think it’s because the XP account I am using does not have admin privileges.
I logged on as admin and did as you suggested above.
All scans say clear now ;D Thanks sooooo much.

I’ve atached a copy of the HijackTHIS log here.
Anxious to hear if I’ve been cured!!!
Thanks again.

Yes, boot time scanning can only be scheduled by users at admin group.
Hope someone with better knowledge can help you with HijackThis log.

Thanks for your help Tech.
If you believe in Karma, there’s some coming your way… ;D

I’d love to know what’s in the hijackthis log. I can’t make much sense of it. All seems OK. Atleast avast and superremover haven’t found anything new for a few hours so far…
Maybe having had system restore off as a default and not being logged on as an admin saved me a little???

You don’t appear to have an active firewall, what is your firewall ?

The O15 entries below, did you create them ?
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)

Do you know about this one, e.g. do you use Web Mail and is this URL known to you ?
Whilst I find it strange/suspect that you should need to download this every time, the suspicion would depend on your answer to the above.

O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB

The same questions and suspicions would also be true of this entry:
O16 - DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} (Image Uploader Control) - http://cdn.smugmug.com/photos/activex/ImageUploader5-5.0.30.0-080212.cab

Other than that I don’t see anything obvious.

Thank you fpr th ereply and your time!

Items 016 I recognize. My email system (secureserver) and a photo sharing site (smugmug).
Items 015 I do Not recognize and have not added myself. What do I do (safely) to address these?

As for the firewall…
My PC is connected to a router and I was told that acted as a firewall. I also have the native Windows XP fireall active.

Thanks again! Looking forward to your instructions.

For the O15 entries, just run HJT again and tick the box to the left of the entry and click the Fix selected button. That should remove them from the trusted zone.

Routers unless they specifically state it don’t monitor outbound traffic.

So any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

Thanks for the reply.
I will remove the items on 015 from my trusted zones.
What would happen if one of those was important? can I get them back somehow?

Also, what should I use to monitor outbound traffic?

Thanks! Learning a lot here!

Nothing really, just that instead of being trusted (lower security) it would be classed as being in the normal web zone and subject to higher security.

If you do a google search on some of them you may find they are suspect like I think some of the domains may be for iffy supposed security applications. I think the only area I have as trusted is windowsupdate on IE.

Thanks.
I’ll remove those asap.
What do I do to strengthen my firewall and stay vigilent about possible re-infections?

Cheers to all for the help.

You’re welcome.

You can’t really strengthen you routers firewall if it doesn’t currently provide outbound protection, you can only add a software firewall to the mix to handle outbound protection.

  • There are many freeware firewalls such as, Comodo, PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface. However, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes. In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.

See A Forum discussion on free firewalls http://forum.avast.com/index.php?topic=30808.0

See http://www.matousec.com/projects/firewall-challenge/results.php.